Sudo Manager Plugin

Sudo Manager provides a plugin that fits into sudo's modular framework to handle security policy processing. This plugin, along with supporting components and utilities, makes up Sudo Manager and must be installed on all sudo hosts whose files you want to manage (sudoers files and generated data). During installation, the active sudoers files from this host are securely transported to the centralized Sudo Manager Policy Server repository for storage and maintenance, and the local copy is effectively disabled.

 

Once the sudo policy is in the Sudo Manager Policy Server host and the Sudo Manager policy plugin is specified in sudo.conf, any edits to the sudo client's /etc/sudoers or its included files are ignored. The changes to sudoers policies are implemented on the Sudo Manager Policy Server by checking out the sudoers files, making the changes, and checking them back in.

Whenever sudo is invoked on the target host to run a command, Sudo Manager on that host first ensures that it has the latest sudoers file from the Sudo Manager Policy Server before it proceeds into the policy processing. It saves a cached copy of the sudoers policy file so that users are never prevented from issuing sudo commands in case network issues arise. The cached policy remains valid for a configurable amount of time before the next update from the Policy Server is warranted at the next sudo invocation.

 

Use the keyword pbsudofailover to enable and disable using the cached policy. By default, this keyword is set to no. If you want to allow the Sudo Manager client to fail over to the cached policy when connection to all Sudo Manager policy servers, or logservers fails, set pbsudofailover to yes in /etc/pbsudo.settings.

You can set it to yes in pbsudo.settings.default, so any new Sudo Manager client installation will have it set to yes in its pbsudo.settings file.

Sudo password validation occurs after policy processing, so any password errors are not recorded as "rejects" in the Sudo Manager event log. A finish event is generated with the exitstatus "ConfirmUser <username> failed" .

Install Sudo Manager Plugin

Sudo Manager must be installed on all sudo hosts. The minimum required version of sudo is v1.8.23, but the policy constructs in the sudoers file must be available in v1.9.0 or earlier. The installation requires client registration. You will also need Sudo Manager Policy Server's Application ID, Application Key, Client Profile name, as well as the hostname and port for a REST service.

The sudomgrinstall installer program registers the target sudo host and securely transfers the sudoers policy file, along with relevant include files, to the Sudo Manager Policy Server for storage and maintenance. It then lays down Sudo Manager’s customized policy plugin (pbsudomgr.so), hooking it into the sudo front end configuration (sudo.conf), simultaneously deactivating any preexisting plugins for policy processing.

Configure Sudo Manager Plugin

After installation, the configuration file /etc/pbsudo.settings is created with the necessary information that Sudo Manager needs to function properly: (for example, identify the logservers).

The following keywords described below are important settings for Sudo Manager.

Sudo Manager Required Settings

  • submitmasters
  • enforcehighsecurity
  • logport
  • logservers
  • networkencryption
  • pbrestport
  • restkeyencryption
  • sharedlibcurldependencies
  • sharedlibssldependencies

Optional Sudo Manager Settings

  • pbsudofailovertimeout
  • pbsudorefresh
  • registrynameservice
  • sslengine
  • sslpbruncipherlist
  • pbsudofailover